Design for Organizational Complexity

1. A company is setting up a new multi-account AWS environment and wants to automate account vending, enforce guardrails, and separate workloads by environment type. Which AWS Landing Zone account separation best represents the recommended structure?

• A.A single master account containing all workloads, with IAM-based separation between Dev, Staging, and Production environments.
• B.Separate AWS accounts for Dev, Prod, Shared Services, Logging, and Security to enforce isolation, centralize logs, and apply guardrails per account.✓ Correct
• C.Two accounts — one for development workloads and one for production — sharing a centralized VPC and logging bucket.
• D.An account per AWS Region, each containing both development and production workloads, with separate S3 buckets for logging.

2. An architect is designing an AWS Landing Zone. The security team requires that all CloudTrail logs from every account be immutable and centrally accessible, while the networking team needs shared VPCs. Which account types satisfy these requirements?

• A.Use the master (management) account for both CloudTrail log aggregation and shared VPC hosting to minimize account sprawl.
• B.Use the Security account for centralized, read-only log aggregation and the Shared Services account for hosting shared networking resources like Transit Gateway.✓ Correct
• C.Use the Logging account for shared VPCs and the Dev account for centralized CloudTrail log aggregation to reduce cost.
• D.Use a single Security account for both log aggregation and shared networking, restricting all teams to read-only access on that account.

3. A DevOps engineer is configuring CloudFormation StackSets to deploy a standard S3 logging bucket across 15 member accounts and 3 AWS Regions. The deployments are failing with an access error. Which IAM prerequisite is most likely missing in the target accounts?

• A.The AWSCloudFormationStackSetAdministratorRole must be created in every target account so each account can self-administer its own stacks.
• B.The AWSCloudFormationStackSetExecutionRole must exist in each target account and trust the administrator account to allow StackSets to deploy resources.✓ Correct
• C.An inline IAM policy granting cloudformation:* must be attached directly to the root user of each target account for StackSets to function.
• D.AWS Organizations Service Control Policies must be removed from all target accounts before CloudFormation StackSets can assume cross-account roles.

4. An organization uses self-managed CloudFormation StackSets. The administrator account (ID: 111111111111) needs to deploy stacks into a target account (ID: 222222222222). Which configuration correctly establishes the required trust relationship?

• A.Create AWSCloudFormationStackSetAdministratorRole in account 222222222222 with a trust policy allowing sts:AssumeRole from account 111111111111.
• B.Create AWSCloudFormationStackSetExecutionRole in account 222222222222 with a trust policy allowing sts:AssumeRole from account 111111111111.✓ Correct
• C.Create AWSCloudFormationStackSetExecutionRole in account 111111111111 with a trust policy allowing sts:AssumeRole from account 222222222222.
• D.Attach an AWSCloudFormationFullAccess managed policy to the root user in account 222222222222 and enable cross-account access in the StackSets console.

5. A cloud governance team uses AWS Service Catalog to deliver approved infrastructure patterns. A new CloudFormation template version of an existing product has been uploaded. The old version must remain available only to existing deployments but must not be offered to new users. Which version state achieves this?

• A.Set the old version to Deleted state so it is removed from the catalog but existing provisioned products continue to function normally.
• B.Set the old version to Inactive state so it is hidden from new users but still supports existing provisioned products already launched from it.✓ Correct
• C.Set the old version to Active state with a deprecation tag, and rely on launch constraints to prevent new users from selecting it.
• D.Remove the old version from the portfolio and re-add only the new version, which automatically migrates existing provisioned products to the new version.